Problem
src/gep/sanitize.js::redactString is the last line of defense before
session log excerpts (up to 2,000 chars) and per-event reason
strings are posted to config.repo by src/gep/issueReporter.js. It
redacts OpenAI sk-…, GitHub gh[pousr]_…, AWS access keys, bearer
tokens, and similar. It does not redact:
| Format |
Example |
| Slack bot/user tokens |
xoxb-…, xoxp-… |
| JWT (header.payload.signature) |
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxIn0.sflKxw… |
| Azure storage connection strings |
DefaultEndpointsProtocol=https;AccountName=…;AccountKey=…;… |
| Discord bot tokens |
ODY4…YPc-6Q… |
Reproduction
const { redactString } = require('./src/gep/sanitize');
const samples = [
'xoxb-1234567890-1234567890123-AbCdEfGhIjKlMnOpQrStUvWx',
'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxIn0.sflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c',
'DefaultEndpointsProtocol=https;AccountName=acct;AccountKey=ABC123DEF456==;EndpointSuffix=core.windows.net',
'ODY4MzE2NTg4ODIwMTEyMzQ1.YPc-6Q.K3n1tfY9q9f4k_5vZl3Mw2X1AbC',
];
for (const s of samples) console.log(redactString(s) === s ? 'LEAKED' : 'ok');Output against v1.67.1:
LEAKED
LEAKED
LEAKED
LEAKED
Because auto-issue bodies are posted to a public tracker, any secret
that lands in a session log in one of these formats will appear
verbatim in an issue body.
Prior art
PR #107 (fix: harden sanitize patterns for token leakage prevention)
attempted this exact hardening and was closed without merge on
2026-02-26. The module is still missing the patterns.
Request
Extend the redactor with patterns such as:
/xox[baprs]-[A-Za-z0-9-]{10,}/g // Slack
/eyJ[A-Za-z0-9_-]+\\.eyJ[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]{20,}/g // JWT
/AccountKey=[^;\\s]+/gi // Azure
/\\b[MN][A-Za-z0-9]{23}\\.[\\w-]{6}\\.[\\w-]{27,}\\b/g // DiscordHappy to submit a PR once the maintainers indicate whether PR #107 is
still a pattern you want to revive. I would rather not re-submit if
the policy reason for the earlier rejection is still in force.
Problem
src/gep/sanitize.js::redactStringis the last line of defense beforesession log excerpts (up to 2,000 chars) and per-event
reasonstrings are posted to
config.repobysrc/gep/issueReporter.js. Itredacts OpenAI
sk-…, GitHubgh[pousr]_…, AWS access keys, bearertokens, and similar. It does not redact:
xoxb-…,xoxp-…eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxIn0.sflKxw…DefaultEndpointsProtocol=https;AccountName=…;AccountKey=…;…ODY4…YPc-6Q…Reproduction
Output against v1.67.1:
Because auto-issue bodies are posted to a public tracker, any secret
that lands in a session log in one of these formats will appear
verbatim in an issue body.
Prior art
PR #107 (
fix: harden sanitize patterns for token leakage prevention)attempted this exact hardening and was closed without merge on
2026-02-26. The module is still missing the patterns.
Request
Extend the redactor with patterns such as:
Happy to submit a PR once the maintainers indicate whether PR #107 is
still a pattern you want to revive. I would rather not re-submit if
the policy reason for the earlier rejection is still in force.